Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-13
CVE-2025-14720 - Amelia Plugin
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and including, 1.2.38. This makes it possible for unauthenticated attackers to mark payments as refunded, trigger sending of queued notifications (emails/SMS/WhatsApp), and access debug information among other things.
PLUGIN
Amelia
CVE-2025-14720
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-14718 - Schedule Post Changes With Publishpress Future Plugin
The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Contributor-level access and above, to create, update, delete, and publish malicious workflows that may automatically delete any post upon publication or update, including posts created by administrators.
PLUGIN
Schedule Post Changes With Publishpress Future
CVE-2025-14718
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-14574 - Wedocs Plugin
The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the `/wp-json/wp/v2/docs/settings` REST API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including third party services API keys.
PLUGIN
Wedocs
CVE-2025-14574
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-14803 - Nex Forms Plugin
The NEX-Forms WordPress plugin before 9.1.8 does not sanitise and escape some of its settings. The NEX-Forms WordPress plugin before 9.1.8 can be configured in such a way that could allow subscribers to perform Stored Cross-Site Scripting.
PLUGIN
Nex Forms
CVE-2025-14803
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-13749 - Defer Plugin
The Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.0. This is due to missing nonce validation on the "wbcr_upm_change_flag" function. This makes it possible for unauthenticated attackers to disable plugin/theme update notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Defer
CVE-2025-13749
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-14886 - Woocommerce For Japan Plugin
The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `order` REST API endpoint in all versions up to, and including, 2.7.17. This makes it possible for unauthenticated attackers to mark any WooCommerce order as processed/completed.
PLUGIN
Woocommerce For Japan
CVE-2025-14886
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-22714 - Mediawiki - Monaco Skin Plugin
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Monaco Skin allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Monaco Skin: 1.45, 1.44, 1.43, 1.39.
PLUGIN
Mediawiki - Monaco Skin
CVE-2026-22714
Risk Score
Threat Entry
Updated 2026-02-12
CVE-2026-22713 - Mediawiki - GrowthExperiments Extension Plugin
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - GrowthExperiments Extension: 1.45, 1.44, 1.43, 1.39.
PLUGIN
Mediawiki - GrowthExperiments Extension
CVE-2026-22713
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-0733 - Online Course Registration System Plugin
A vulnerability was determined in PHPGurukul Online Course Registration System up to 3.1. This impacts an unknown function of the file /onlinecourse/admin/manage-students.php. This manipulation of the argument id/cid causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
PLUGIN
Online Course Registration System
CVE-2026-0733
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-0732 - DI-8200G Plugin
A vulnerability was found in D-Link DI-8200G 17.12.20A1. This affects an unknown function of the file /upgrade_filter.asp. The manipulation of the argument path results in command injection. The attack may be performed from remote. The exploit has been made public and could be used.
PLUGIN
DI-8200G
CVE-2026-0732
Risk Score
Threat Entry
Updated 2026-02-12
CVE-2026-22712 - Mediawiki - ApprovedRevs Extension Plugin
Improper Encoding or Escaping of Output due to magic word replacement in ParserAfterTidy vulnerability in The Wikimedia Foundation Mediawiki - ApprovedRevs Extension allows Input Data Manipulation.This issue affects Mediawiki - ApprovedRevs Extension: 1.45, 1.44, 1.43, 1.39.
PLUGIN
Mediawiki - ApprovedRevs Extension
CVE-2026-22712
Risk Score
Threat Entry
Updated 2026-02-12
CVE-2026-22710 - Mediawiki - Wikibase Extension Plugin
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Wikibase Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Wikibase Extension: 1.45, 1.44, 1.43, 1.39.
PLUGIN
Mediawiki - Wikibase Extension
CVE-2026-22710
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2026-0731 - WA1200 Plugin
A vulnerability has been found in TOTOLINK WA1200 5.9c.2914. The impacted element is an unknown function of the file cstecgi.cgi of the component HTTP Request Handler. The manipulation leads to null pointer dereference. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.
PLUGIN
WA1200
CVE-2026-0731
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-0729 - Intern Membership Management System Plugin
A vulnerability was detected in code-projects Intern Membership Management System 1.0. Impacted is an unknown function of the file /intern/admin/add_activity.php. Performing a manipulation of the argument Title results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used.
PLUGIN
Intern Membership Management System
CVE-2026-0729
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-0730 - Staff Leave Management System Plugin
A flaw has been found in PHPGurukul Staff Leave Management System 1.0. The affected element is the function ADD_STAFF/UPDATE_STAFF of the file /staffleave/slms/slms/adminviews.py of the component SVG File Handler. Executing a manipulation of the argument profile_pic can lead to cross site scripting. The attack can be executed remotely. The exploit has been published and may be used.
PLUGIN
Staff Leave Management System
CVE-2026-0730
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-14436 - Woocommerce Sendinblue Newsletter Subscription Plugin
The Brevo for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user_connection_id’ parameter in all versions up to, and including, 4.0.49 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Woocommerce Sendinblue Newsletter Subscription
CVE-2025-14436
Risk Score
Threat Entry
Updated 2026-02-02
CVE-2026-22588 - Spree Plugin
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request, the backend server accepts and processes references to addresses belonging to other users, subsequently associating those addresses with the attacker’s order and returning them in the response. This issue has…
PLUGIN
Spree
CVE-2026-22588
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-0728 - Intern Membership Management System Plugin
A security vulnerability has been detected in code-projects Intern Membership Management System 1.0. This issue affects some unknown processing of the file /intern/admin/delete_admin.php. Such manipulation of the argument admin_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.
PLUGIN
Intern Membership Management System
CVE-2026-0728
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-0747 - Remote Desktop Manager Plugin
Exposure of sensitive information in the TeamViewer entry dashboard component in Devolutions Remote Desktop Manager 2025.3.24.0 through 2025.3.28.0 on Windows allows an external observer to view a password on screen via a defective masking feature, for example during physical observation or screen sharing.
PLUGIN
Remote Desktop Manager
CVE-2026-0747
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-22257 - Salvo Plugin
Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generates a file view of a folder without sanitizing the files or folders names, this may potentially lead to XSS in cases where a website allow the access to public files using this feature and anyone can upload a file. This issue has been patched in version 0.88.1.
PLUGIN
Salvo
CVE-2026-22257
Risk Score